This article looks at the problems associated with key management that are common in many businesses today, where there is no clear ownership; then it examines the benefits of a centralized key management system and offers advice on building the business case to demonstrate both operational cost savings and a reduction in corporate risk.

Who Owns Your Keys?

Cryptographic keys are at the heart of any electronic security system, whether used for encryption, authentication, integrity protection or non-repudiation. Any compromise can fatally undermine the security application using the affected keys, exposing your business to impacts such as data breach, financial loss, service downtime, reputational damage and regulatory fines.

As the deployment of cryptographic systems has multiplied over the last decade, many businesses have found themselves with keys spread across multiple isolated and fragmented systems in different parts of their organization, and with no unified policy or clear ownership[1]. This creates many problems, such as:

Provides a full audit trail to ease internal and external compliance audits

Return on Investment (ROI)

The project cost can usually be justified by the on-going operational efficiencies alone, with a relatively short pay-back period, although it could equally be justified by the less tangible (but nonetheless very real) reduction in business risk it delivers. A phased migration can always be employed to reduce project risk and deliver progressive benefits and business risk reduction over time.

Implementing a key management system is certainly not trivial – to ensure success, the project should be scoped, resourced and managed accordingly, and the business transformational aspects should not be underestimated. For this reason, and also because of the corporate risk management benefits, the project should be sponsored at the highest level – typically by the Chief Information Security Officer (CISO) – and backed by the CEO, COO and CFO. Only then will the true business case and ROI become clear and the relevant cross-functional teams be motivated to embrace the changes.

Delaying the adoption of a centralized key management system will only prolong the problems, expense and risk associated with a lack of ownership and make the eventual change more difficult and expensive. Therefore, businesses should grasp this nettle today, before the situation gets truly out of-hand.

Cryptomathic CKMS

Cryptomathic’s Crypto Key Management System (CKMS) has evolved over the last 10 years to provide a comprehensive solution that has been successfully employed by many large enterprises around the world. The latest release introduces Bring Your Own Key (BYOK) support with the ability to Manage Your Own Key (MYOK) for external cloud services.